PHI-Exposing Data Security Incidents Discovered by Purdue University

by Ryan Coyne | May 31, 2018

Purdue University have been discovered two security breaches that may have lead to unauthorized people obtaining access to the protected health information of patients.

During April Purdue University’s security team identified a file on computers used by Purdue University Pharmacy showing that the devices had been remotely logged onto by an unauthorized person. The file was installed on the devices around September 1, 2017.

The computers included a restricted amount of protected health data including patients’ names, birth dates, timess of service, identification numbers, internal identification numbers, diagnoses, appointment information and amounts invoiced. No personal financial information or Social Security numbers were stored on the computer that was accessed.

A review into the data breach did not find any proof to suggest any patient information was obtained and no reports have been received to suggest any patient data have been improperly used. However, since it was not possible to eliminate unauthorized PHI access with a high degree of certainty, patients have been alerted of the breach.

During the investigation, the security team also identified a malware infection on a computer used by Family Health Clinic of Carrol County in Delphi, IN. The malware was found on May 4. The review showed it has been placed on the computer on or around March 15, 2018.

The variety of malware used in the attack was not released, although it is possible it allowed unauthorized people to gain access to PHI.

Data stored on the computer incorporated patients’ names, health insurance numbers and some patients’ driver’s license details and Medicare numbers. While data access could have happened, no proof was found to suggest any PHI was viewed or obtained in the attack, although since this could not be completely ruled out patients have been alerted. Patients whose driver’s license details and/or Medicare number were obtained have been offered free credit monitoring services for 12 months.

The breaches have lead to Purdue University’s security team to adapt extra security controls and enhance monitoring. The network will also be segmented and full drive encryption will be adapted.

The official breach report filed to the Department of Health and Human Services’ Office for Civil Rights (OCR) shows that 1,711 people were affected by these breach attacks.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter